Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

vlc: CVE-2015-5949

Related Vulnerabilities: CVE-2015-5949  

Source

Debian Bug report logs - #796255
vlc: CVE-2015-5949

version graph

Package: src:vlc; Maintainer for src:vlc is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 20 Aug 2015 19:54:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version vlc/2.2.0~rc2-2

Fixed in versions vlc/2.2.0~rc2-2+deb8u1, vlc/2.2.1-3

Done: Sebastian Ramacher <sramacher@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#796255; Package src:vlc. (Thu, 20 Aug 2015 19:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 20 Aug 2015 19:54:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vlc: CVE-2015-5949
Date: Thu, 20 Aug 2015 21:51:31 +0200
Source: vlc
Version: 2.2.0~rc2-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole
Control: fixed -1 2.2.0~rc2-2+deb8u1

Hi,

the following vulnerability was published for vlc.

CVE-2015-5949[0]:
No description was found (try on a search engine)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5949
[1] http://www.ocert.org/advisories/ocert-2015-009.html
[2] https://lists.debian.org/debian-security-announce/2015/msg00241.html

Regards,
Salvatore

Marked as fixed in versions vlc/2.2.0~rc2-2+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 20 Aug 2015 19:54:06 GMT) (full text, mbox, link).

Reply sent to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility. (Fri, 21 Aug 2015 06:51:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 21 Aug 2015 06:51:12 GMT) (full text, mbox, link).

Message #12 received at 796255-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: 796255-close@bugs.debian.org
Subject: Bug#796255: fixed in vlc 2.2.1-3
Date: Fri, 21 Aug 2015 06:50:18 +0000
Source: vlc
Source-Version: 2.2.1-3

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 796255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Aug 2015 08:22:53 +0200
Source: vlc
Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore8 vlc vlc-data vlc-dbg vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi vlc-plugin-samba vlc-plugin-pulse
Architecture: source all
Version: 2.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libvlc-dev - development files for libvlc
 libvlc5    - multimedia player and streamer library
 libvlccore-dev - development files for libvlccore
 libvlccore8 - base library for VLC and its modules
 vlc        - multimedia player and streamer
 vlc-data   - Common data for VLC
 vlc-dbg    - debugging symbols for vlc
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-fluidsynth - FluidSynth plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-notify - LibNotify plugin for VLC
 vlc-plugin-pulse - transitional dummy package for vlc
 vlc-plugin-samba - Samba plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svg - SVG plugin for VLC
 vlc-plugin-zvbi - VBI teletext plugin for VLC
Closes: 796255
Changes:
 vlc (2.2.1-3) unstable; urgency=high
 .
   * debian/patches/demux-mp4-correctly-match-release-function.patch: Apply
     upstream patch to fix CVE-2015-5949. (Closes: #796255)
Checksums-Sha1:
 e42b19ead6572eaaba436948047d9e6e55704028 5383 vlc_2.2.1-3.dsc
 98b1ef70f44eb546bc9d86ee5b0b8faba3ef34fb 58968 vlc_2.2.1-3.debian.tar.xz
 71c135c13092d7b599d3dadeab7eddc3fa65e40a 5404956 vlc-data_2.2.1-3_all.deb
 7311454c43301b348c9aeee496b4dbb1deb0b501 860 vlc-plugin-pulse_2.2.1-3_all.deb
Checksums-Sha256:
 8dbd965bc794af5dd49afa41470ea5ead57c863601593f9783828428672d4d67 5383 vlc_2.2.1-3.dsc
 c184d9a7cee03b047d235bd388739accea8d77cd85da10252e0caa04b7418f43 58968 vlc_2.2.1-3.debian.tar.xz
 b1aac7e84261559c151ccbd632e6ca3ea088d5d9554f49980dc9b5bfb08edad9 5404956 vlc-data_2.2.1-3_all.deb
 f52d303256700b65f3510edec8831cdd4028da4caf5991108a808d2cb9bc5321 860 vlc-plugin-pulse_2.2.1-3_all.deb
Files:
 5010899a703c06dc124216b8d97f95e4 5383 video optional vlc_2.2.1-3.dsc
 d611ae7ac3ba135c847881f025f3866d 58968 video optional vlc_2.2.1-3.debian.tar.xz
 500a9289863b889967ec1d8ac8237a53 5404956 video optional vlc-data_2.2.1-3_all.deb
 f4e4b593e068fbca1fc6b2fa45c1e512 860 video optional vlc-plugin-pulse_2.2.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV1sdNAAoJEGny/FFupxmTnuMP/Argpnyuu1ZmIZWvoALl7iMD
aEi7ejs5Ni3diDCN7BiLjHJle35Pb0RLFjiZMuZgBeZHk9QxfDsMVD0v/GXz1yQI
n1LOKyOxUdgqjcqMB81fSkynN9hbBNYvvOrYEicc/kYVySgpfN5OEtn4sTEeBuLu
oISvaYyGEMrvSIKrH1GMqKbLOaAMYaz6yfwEP3vsm6ffxjGnEnwbFz+I0tSfzRMD
bzuNrGFT6lZGuzYgih88wLvvkKCtPQU8iCRa3tVmp0ok2MpQ2CJMZhxCYQoaJ+xU
uux6PLStXNKU1pAYRQQibOSZ9QAp/z9HLgEtwyfCzQjm1E969fUr6eEHAF1mOvf1
0iQo1/Hz05gkJ7XcfzgiD33DCez7JVLO1f/qnOTsk2Yqt35QWpUtA3IVUZBCDGcW
CVbvMh4WxS+/R1oVvlI/qcllrdON3SSX+ZwsT6qPCPp/i+0zPk4EIBu5K154aiJw
0OQVFfrAQAhPKZpzuB5l7EhG2aocp5SK4bkMqgdFYy/inMWMGQZlxJvLNB7ZEQUy
Ouu1UPX2JyAb1mOZXmaMa7NEXdye3nrQw9ACK3/k1SPN90ZmsqxxGJBS8IBCigVO
WNUVDgneQzE9wsv5ij4Copzcylin2lG4d/sYf3qRoZq4fDfNsr4BIg/RQ7XYBkgX
2zmBcR7dvgmbzPHQmJdq
=gGHS
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#796255; Package src:vlc. (Fri, 21 Aug 2015 07:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Fri, 21 Aug 2015 07:03:03 GMT) (full text, mbox, link).

Message #17 received at 796255@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 796255@bugs.debian.org
Subject: Re: Bug#796255: vlc: CVE-2015-5949
Date: Fri, 21 Aug 2015 09:00:42 +0200
[Message part 1 (text/plain, inline)]
On 2015-08-20 21:51:31, Salvatore Bonaccorso wrote:
> Source: vlc
> Version: 2.2.0~rc2-2
> Severity: grave
> Tags: security upstream patch fixed-upstream
> Justification: user security hole
> Control: fixed -1 2.2.0~rc2-2+deb8u1

Is this the way the Security Team works nowadays? No coordination with the
maintainers at all. We could have at least coordinated the fix for sid.

We were also trying to push 2.2.1 to jessie with other fixes for not CVE-worthy
crashes. Admittely, the pu request hasn't gotten a reply from the Release Team
in ages, but still …

Thanks for not coordinating with us.
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 04 Oct 2015 08:00:59 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:44:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started